VM-Series Auto Scaling Template for AWS Version 1.2
The items in this checklist are actions and choices you must make for implementing this solution.
Planning Checklist for Version 1.2
Assign the appropriate permissions for the IAM user role.
The user who deploys the VM-Series Auto Scaling template must either have administrative privileges or have the permissions listed in the iam-policy.json file to successfully launch this solution. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
Create a Support Account on the Palo Alto Networks Support portal.
With VM-Series Auto Scaling template version 1.2, you can opt for the BYOL or PAYG (bundle 1 or bundle 2) licenses.
For BYOL, you must register the auth code to your Palo Alto Networks support account prior to launching the VM-Series Auto Scaling template.
For PAYG, you must register the VM-Series firewalls to activate your support entitlement.
For PAYG only) Review and accept the End User License Agreement (EULA).
Required, if you are launching a VM-Series firewall in an AWS account for the first time.
In the AWS Marketplace, search for Palo Alto Networks, and select the bundle you plan to use. The VM-Series Auto Scaling template will fail to deploy if you have not accepted the EULA for the bundle you plan to use.
Download the Templates, AWS Lambda code, and the bootstrap files.
Do not mix and match files across VM-Series Auto Scaling template versions.
Get the files from the following GitHub repository at: https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2
The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.
Customize the bootstrap.xml file for your production environment.
To ensure that your production environment is secure, you must Customize the Bootstrap.xml File with a unique administrative username and password. The default username and password is pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
Decide whether you want to use Panorama for centralized logging, reporting, and firewall management.
Panorama is an option for administrative ease. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution.
If you want to use Panorama, you can either use the M-Series appliance or a Panorama virtual appliance on a VMware ESXi server inside your corporate network, or use a Panorama virtual appliance on vCloud Air.
To successfully register the firewalls with Panorama, you must collect the following details:
Decide whether you want to use the AWS NAT gateway or assign an EIP address to the management interface on each VM-Series firewall.
To allow the firewalls to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an AWS NAT gateway or assign an EIP address to the management interface on each firewall.
The AWS NAT gateway option allows you to conserve the use of EIP addresses; you only need one EIP address per Availability Zone (AZ). Hence, you must allocate a maximum of three EIP addresses if you deploy the VM-Series Auto Scaling template across three AZs. When you use a NAT gateway and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. This jump server is required because the management interface on the VM-Series firewalls has a private IP address only.
If you choose to assign an EIP address to the management interface of each VM-Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM-Series firewalls. Based on the size of your deployment, you may need to request an increase in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall.
Recommended For You
Recommended videos not found.